This articlerelies largely or entirely on asingle source. Relevant discussion may be found on thetalk page. Please helpimprove this article byintroducing citations to additional sources. Find sources: "Cayley–Purser algorithm" – news ·newspapers ·books ·scholar ·JSTOR(October 2019)

TheCayley–Purser algorithm was apublic-key cryptographyalgorithm published in early 1999 by 16-year-oldIrishwomanSarah Flannery, based on an unpublished work byMichael Purser, founder ofBaltimore Technologies, aDublin data security company. Flannery named it formathematicianArthur Cayley. It has since been found to be flawed as a public-key algorithm, but was the subject of considerable media attention.

During a work-experience placement with Baltimore Technologies, Flannery was shown an unpublished paper by Michael Purser which outlined a newpublic-key cryptographic scheme usingnon-commutative multiplication. She was asked to write an implementation of this scheme inMathematica.

Before this placement, Flannery had attended the 1998ESAT Young Scientist and Technology Exhibition with a project describing already existing cryptographic techniques from theCaesar cipher toRSA. This had won her the Intel Student Award which included the opportunity to compete in the 1998Intel International Science and Engineering Fair in the United States. Feeling that she needed some original work to add to her exhibition project, Flannery asked Michael Purser for permission to include work based on his cryptographic scheme.

On advice from her mathematician father, Flannery decided to usematrices to implement Purser's scheme asmatrix multiplication has the necessary property of being non-commutative. As the resulting algorithm would depend on multiplication it would be a great deal faster than the RSA algorithm which uses anexponential step. For her Intel Science Fair project Flannery prepared a demonstration where the same plaintext was enciphered using both RSA and her new Cayley–Purser algorithm and it did indeed show a significant time improvement.

Returning to the ESAT Young Scientist and Technology Exhibition in 1999, Flannery formalised Cayley-Purser's runtime and analyzed a variety of known attacks, none of which were determined to be effective.

Flannery did not make any claims that the Cayley–Purser algorithm would replace RSA, knowing that any new cryptographic system would need to stand the test of time before it could be acknowledged as a secure system. The media were not so circumspect however and when she received first prize at the ESAT exhibition, newspapers around the world reported the story that a young girl genius had revolutionised cryptography.

In fact an attack on the algorithm was discovered shortly afterwards but she analyzed it and included it as an appendix in later competitions, including a Europe-wide competition in which she won a major award.

Notation used in this discussion is as in Flannery's original paper.

Like RSA, Cayley-Purser begins by generating two large primesp andq and their productn, asemiprime. Next, considerGL(2,n), thegeneral linear group of 2×2 matrices with integer elements andmodular arithmetic modn. For example, ifn=5, we could write:

This group is chosen because it has large order (for large semiprimen), equal to (p²−1)(p²−p)(q²−1)(q²−q).

Let${\displaystyle \chi }$ and${\displaystyle \alpha }$ be two such matrices from GL(2,n) chosen such that${\displaystyle \chi \alpha \ne \alpha \chi }$. Choose some natural numberr and compute:

${\displaystyle \beta ={\chi }^{-1}{\alpha }^{-1}\chi ,}$

${\displaystyle \gamma ={\chi }^r.}$

The public key is${\displaystyle n}$,${\displaystyle \alpha }$,${\displaystyle \beta }$, and${\displaystyle \gamma }$. The private key is${\displaystyle \chi }$.

The sender begins by generating a random natural numbers and computing:

${\displaystyle \delta ={\gamma }^s}$

${\displaystyle ϵ={\delta }^{-1}\alpha \delta }$

${\displaystyle \kappa ={\delta }^{-1}\beta \delta }$

Then, to encrypt a message, each message block is encoded as a number (as in RSA) and they are placed four at a time as elements of a plaintext matrix${\displaystyle \mu }$. Each${\displaystyle \mu }$ is encrypted using:

${\displaystyle {\mu }^{\prime }=\kappa \mu \kappa .}$

Then${\displaystyle {\mu }^{\prime }}$ and${\displaystyle ϵ}$ are sent to the receiver.

The receiver recovers the original plaintext matrix${\displaystyle \mu }$ via:

${\displaystyle \lambda ={\chi }^{-1}ϵ\chi ,}$

${\displaystyle \mu =\lambda {\mu }^{\prime }\lambda .}$

Recovering the private key${\displaystyle \chi }$ from${\displaystyle \gamma }$ is computationally infeasible, at least as hard as finding square roots modn (seequadratic residue). It could be recovered from${\displaystyle \alpha }$ and${\displaystyle \beta }$ if the system${\displaystyle \chi \beta ={\alpha }^{-1}\chi }$ could be solved, but the number of solutions to this system is large as long as elements in the group have a large order, which can be guaranteed for almost every element.

However, the system can be broken by finding a multiple${\displaystyle {\chi }^{\prime }}$ of${\displaystyle \chi }$ by solving for${\displaystyle d}$ in the following congruence:

${\displaystyle d\left(\beta -{\alpha }^{-1}\right)\equiv \left({\alpha }^{-1}\gamma -\gamma \beta \right)(\mathrm{mod}n)}$

Observe that a solution exists if for some${\displaystyle i,j\in \left|\gamma \right|}$ and${\displaystyle x,y\in {\mathbb{Z}}_n}$

${\displaystyle x\left({\beta }_{ij}^{-1}-{\alpha }_{ij}\right)\equiv y(\mathrm{mod}n).}$

If${\displaystyle d}$ is known,${\displaystyle d\mathrm{I}+\gamma ={\chi }^{\prime }}$ — a multiple of${\displaystyle \chi }$. Any multiple of${\displaystyle \chi }$ yields${\displaystyle \lambda ={\kappa }^{-1}=v^{-1}{\chi }^{-1}ϵv\chi }$. This presents a fatal weakness for the system, which has not yet been reconciled.

This flaw does not preclude the algorithm's use as a mixed private-key/public-key algorithm, if the sender transmits${\displaystyle ϵ}$ secretly, but this approach presents no advantage over the common approach of transmitting asymmetric encryption key using a public-key encryption scheme and then switching to symmetric encryption, which is faster than Cayley-Purser.

• Non-commutative cryptography

• Sarah Flannery and David Flannery.In Code: A Mathematical Journey.ISBN 0-7611-2384-9

• Public-key encryption schemes
• Broken cryptography algorithms

• Articles with short description
• Short description is different from Wikidata
• Articles needing additional references from October 2019
• All articles needing additional references